Puppetca and smart proxy

Since upgrading to foreman 0.3 I've been having problems getting
puppetca + smart proxy to work. Prior to 0.3, everything was working
pretty smooth, so I'm not sure what I hosed. Here's something that
sticks out to me in the smart-proxy log (/tmp/proxy.log)

Failed to list certificates: Unable to find CA inventory file at /var/
lib/puppet/ssl/ca/inventory.txt

This file does exist and I do see all of my clients listed in the
file. In the meantime, I turned off SSL for my smart-proxy just to
reduce any 'extra complexity'.

> Since upgrading to foreman 0.3 I've been having problems getting
> puppetca + smart proxy to work. Prior to 0.3, everything was working
> pretty smooth, so I'm not sure what I hosed. Here's something that
> sticks out to me in the smart-proxy log (/tmp/proxy.log)
>
> Failed to list certificates: Unable to find CA inventory file at /var/
> lib/puppet/ssl/ca/inventory.txt
>

Permissions? try adding the user which runs the proxy to the puppet group.

··· On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker wrote:

This file does exist and I do see all of my clients listed in the
file. In the meantime, I turned off SSL for my smart-proxy just to
reduce any ‘extra complexity’.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To post to this group, send email to foreman-users@googlegroups.com.
To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.

Alright, I got this sorted out…

Turns out I had duplicate certificate that was signed for my puppet
master. Once I removed that cert things were good.

··· On Jun 10, 1:00 am, Ohad Levy wrote: > On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker wrote: > > Since upgrading to foreman 0.3 I've been having problems getting > > puppetca + smart proxy to work. Prior to 0.3, everything was working > > pretty smooth, so I'm not sure what I hosed. Here's something that > > sticks out to me in the smart-proxy log (/tmp/proxy.log) > > > Failed to list certificates: Unable to find CA inventory file at /var/ > > lib/puppet/ssl/ca/inventory.txt > > Permissions? try adding the user which runs the proxy to the puppet group. > > > > > > > > > > > This file does exist and I do see all of my clients listed in the > > file. In the meantime, I turned off SSL for my smart-proxy just to > > reduce any 'extra complexity'. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Foreman users" group. > > To post to this group, send email to foreman-users@googlegroups.com. > > To unsubscribe from this group, send email to > > foreman-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/foreman-users?hl=en.

> Alright, I got this sorted out…
>
> Turns out I had duplicate certificate that was signed for my puppet
> master. Once I removed that cert things were good.

Could you explain a bit more? it does not make much sense to me…
in fact, you can have multiple certificates for your master (e.g. one CA
certificate and another puppet client certificate)…

··· On Mon, 2011-06-13 at 07:35 -0700, Luke Baker wrote:

On Jun 10, 1:00 am, Ohad Levy ohadl...@gmail.com wrote:

On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker akaba...@gmail.com wrote:

Since upgrading to foreman 0.3 I’ve been having problems getting
puppetca + smart proxy to work. Prior to 0.3, everything was working
pretty smooth, so I’m not sure what I hosed. Here’s something that
sticks out to me in the smart-proxy log (/tmp/proxy.log)

Failed to list certificates: Unable to find CA inventory file at /var/
lib/puppet/ssl/ca/inventory.txt

Permissions? try adding the user which runs the proxy to the puppet group.

This file does exist and I do see all of my clients listed in the
file. In the meantime, I turned off SSL for my smart-proxy just to
reduce any ‘extra complexity’.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To post to this group, send email to foreman-users@googlegroups.com.
To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.

Well, I had a signed certificate for my puppetmaster - I also had
another signed certificate for the puppetmaster (the file name was
different). Once I deleted this certificate, 'things' just started
working. Not sure what was going on there.

··· On Jun 13, 9:38 am, Ohad Levy wrote: > On Mon, 2011-06-13 at 07:35 -0700, Luke Baker wrote: > > Alright, I got this sorted out.. > > > Turns out I had duplicate certificate that was signed for my puppet > > master. Once I removed that cert things were good. > > Could you explain a bit more? it does not make much sense to me... > in fact, you can have multiple certificates for your master (e.g. one CA > certificate and another puppet client certificate)... > > > > > > > > > > > On Jun 10, 1:00 am, Ohad Levy wrote: > > > On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker wrote: > > > > Since upgrading to foreman 0.3 I've been having problems getting > > > > puppetca + smart proxy to work. Prior to 0.3, everything was working > > > > pretty smooth, so I'm not sure what I hosed. Here's something that > > > > sticks out to me in the smart-proxy log (/tmp/proxy.log) > > > > > Failed to list certificates: Unable to find CA inventory file at /var/ > > > > lib/puppet/ssl/ca/inventory.txt > > > > Permissions? try adding the user which runs the proxy to the puppet group. > > > > > This file does exist and I do see all of my clients listed in the > > > > file. In the meantime, I turned off SSL for my smart-proxy just to > > > > reduce any 'extra complexity'. > > > > > -- > > > > You received this message because you are subscribed to the Google Groups > > > > "Foreman users" group. > > > > To post to this group, send email to foreman-users@googlegroups.com. > > > > To unsubscribe from this group, send email to > > > > foreman-users+unsubscribe@googlegroups.com. > > > > For more options, visit this group at > > > >http://groups.google.com/group/foreman-users?hl=en.

Hi Luke, Ohad

I am also getting the same error message, if I execute the puppetca
command from cmd line its not throwing any error.

D, [2011-06-17T08:04:24.665421 #17248] DEBUG – : Found puppetca at /
usr/sbin/puppetca
D, [2011-06-17T08:04:24.665731 #17248] DEBUG – : Found sudo at /usr/
bin/sudo
D, [2011-06-17T08:04:24.665908 #17248] DEBUG – : Executing /usr/bin/
sudo -S /usr/sbin/puppetca --list --all
E, [2011-06-17T08:04:25.547190 #17248] ERROR – : Failed to list
certificates: Unable to find CA inventory file at /var/lib/puppet/ssl/
ca/inventory.txt
^C
[root@testvm1 ~]# /usr/bin/sudo -S /usr/sbin/puppetca --list --all

Any help would be appreciated.

Thanks
Bency

··· On Jun 16, 9:23 am, Luke Baker wrote: > Well, I had a signed certificate for my puppetmaster - I also had > another signed certificate for the puppetmaster (the file name was > different). Once I deleted this certificate, 'things' just started > working. Not sure what was going on there. > > On Jun 13, 9:38 am, Ohad Levy wrote: > > > > > > > > > On Mon, 2011-06-13 at 07:35 -0700, Luke Baker wrote: > > > Alright, I got this sorted out.. > > > > Turns out I had duplicate certificate that was signed for my puppet > > > master. Once I removed that cert things were good. > > > Could you explain a bit more? it does not make much sense to me... > > in fact, you can have multiple certificates for your master (e.g. one CA > > certificate and another puppet client certificate)... > > > > On Jun 10, 1:00 am, Ohad Levy wrote: > > > > On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker wrote: > > > > > Since upgrading to foreman 0.3 I've been having problems getting > > > > > puppetca + smart proxy to work. Prior to 0.3, everything was working > > > > > pretty smooth, so I'm not sure what I hosed. Here's something that > > > > > sticks out to me in the smart-proxy log (/tmp/proxy.log) > > > > > > Failed to list certificates: Unable to find CA inventory file at /var/ > > > > > lib/puppet/ssl/ca/inventory.txt > > > > > Permissions? try adding the user which runs the proxy to the puppet group. > > > > > > This file does exist and I do see all of my clients listed in the > > > > > file. In the meantime, I turned off SSL for my smart-proxy just to > > > > > reduce any 'extra complexity'. > > > > > > -- > > > > > You received this message because you are subscribed to the Google Groups > > > > > "Foreman users" group. > > > > > To post to this group, send email to foreman-users@googlegroups.com. > > > > > To unsubscribe from this group, send email to > > > > > foreman-users+unsubscribe@googlegroups.com. > > > > > For more options, visit this group at > > > > >http://groups.google.com/group/foreman-users?hl=en.

> Hi Luke, Ohad
>
> I am also getting the same error message, if I execute the puppetca
> command from cmd line its not throwing any error.
>
> D, [2011-06-17T08:04:24.665421 #17248] DEBUG – : Found puppetca at /
> usr/sbin/puppetca
> D, [2011-06-17T08:04:24.665731 #17248] DEBUG – : Found sudo at /usr/
> bin/sudo
> D, [2011-06-17T08:04:24.665908 #17248] DEBUG – : Executing /usr/bin/
> sudo -S /usr/sbin/puppetca --list --all
> E, [2011-06-17T08:04:25.547190 #17248] ERROR – : Failed to list
> certificates: Unable to find CA inventory file at /var/lib/puppet/ssl/
> ca/inventory.txt
> ^C
> [root@testvm1 ~]# /usr/bin/sudo -S /usr/sbin/puppetca --list --all
> + centos.apnonline.co.nz (09:8E:0C:54:42:2A:36:3D:2D:0E:58:39:CA:9A:
> 6B:ED)
>

are you running your smart proxy as root? I'm guessing not…
as the proxy user, try to run both the sudo command and to see if you can
see the content of /var/lib/puppet/ssl/
ca/inventory.txt.

most likely you simply need to add the foreman-proxy account to the puppet
group.

··· On Thu, Jun 16, 2011 at 11:07 PM, Bency wrote:

Any help would be appreciated.

Thanks
Bency

On Jun 16, 9:23 am, Luke Baker akaba...@gmail.com wrote:

Well, I had a signed certificate for my puppetmaster - I also had
another signed certificate for the puppetmaster (the file name was
different). Once I deleted this certificate, ‘things’ just started
working. Not sure what was going on there.

On Jun 13, 9:38 am, Ohad Levy ohadl...@gmail.com wrote:

On Mon, 2011-06-13 at 07:35 -0700, Luke Baker wrote:

Alright, I got this sorted out…

Turns out I had duplicate certificate that was signed for my puppet
master. Once I removed that cert things were good.

Could you explain a bit more? it does not make much sense to me…
in fact, you can have multiple certificates for your master (e.g. one
CA

certificate and another puppet client certificate)…

On Jun 10, 1:00 am, Ohad Levy ohadl...@gmail.com wrote:

On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker akaba...@gmail.com > wrote:

Since upgrading to foreman 0.3 I’ve been having problems getting
puppetca + smart proxy to work. Prior to 0.3, everything was
working

pretty smooth, so I’m not sure what I hosed. Here’s something
that

sticks out to me in the smart-proxy log (/tmp/proxy.log)

Failed to list certificates: Unable to find CA inventory file at
/var/

lib/puppet/ssl/ca/inventory.txt

Permissions? try adding the user which runs the proxy to the puppet
group.

This file does exist and I do see all of my clients listed in the
file. In the meantime, I turned off SSL for my smart-proxy just
to

reduce any ‘extra complexity’.


You received this message because you are subscribed to the
Google Groups

“Foreman users” group.
To post to this group, send email to
foreman-users@googlegroups.com.

To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To post to this group, send email to foreman-users@googlegroups.com.
To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.

Thanks Ohad!

It was indeed a permission issue, your suggestion was right on the
money :slight_smile:

··· On Jun 17, 5:14 pm, Ohad Levy wrote: > On Thu, Jun 16, 2011 at 11:07 PM, Bency wrote: > > Hi Luke, Ohad > > > I am also getting the same error message, if I execute the puppetca > > command from cmd line its not throwing any error. > > > D, [2011-06-17T08:04:24.665421 #17248] DEBUG -- : Found puppetca at / > > usr/sbin/puppetca > > D, [2011-06-17T08:04:24.665731 #17248] DEBUG -- : Found sudo at /usr/ > > bin/sudo > > D, [2011-06-17T08:04:24.665908 #17248] DEBUG -- : Executing /usr/bin/ > > sudo -S /usr/sbin/puppetca --list --all > > E, [2011-06-17T08:04:25.547190 #17248] ERROR -- : Failed to list > > certificates: Unable to find CA inventory file at /var/lib/puppet/ssl/ > > ca/inventory.txt > > ^C > > [root@testvm1 ~]# /usr/bin/sudo -S /usr/sbin/puppetca --list --all > > + centos.apnonline.co.nz (09:8E:0C:54:42:2A:36:3D:2D:0E:58:39:CA:9A: > > 6B:ED) > > are you running your smart proxy as root? I'm guessing not... > as the proxy user, try to run both the sudo command and to see if you can > see the content of /var/lib/puppet/ssl/ > ca/inventory.txt. > > most likely you simply need to add the foreman-proxy account to the puppet > group. > > > > > > > > > > > Any help would be appreciated. > > > Thanks > > Bency > > > On Jun 16, 9:23 am, Luke Baker wrote: > > > Well, I had a signed certificate for my puppetmaster - I also had > > > another signed certificate for the puppetmaster (the file name was > > > different). Once I deleted this certificate, 'things' just started > > > working. Not sure what was going on there. > > > > On Jun 13, 9:38 am, Ohad Levy wrote: > > > > > On Mon, 2011-06-13 at 07:35 -0700, Luke Baker wrote: > > > > > Alright, I got this sorted out.. > > > > > > Turns out I had duplicate certificate that was signed for my puppet > > > > > master. Once I removed that cert things were good. > > > > > Could you explain a bit more? it does not make much sense to me... > > > > in fact, you can have multiple certificates for your master (e.g. one > > CA > > > > certificate and another puppet client certificate)... > > > > > > On Jun 10, 1:00 am, Ohad Levy wrote: > > > > > > On Fri, Jun 10, 2011 at 6:47 AM, Luke Baker > > wrote: > > > > > > > Since upgrading to foreman 0.3 I've been having problems getting > > > > > > > puppetca + smart proxy to work. Prior to 0.3, everything was > > working > > > > > > > pretty smooth, so I'm not sure what I hosed. Here's something > > that > > > > > > > sticks out to me in the smart-proxy log (/tmp/proxy.log) > > > > > > > > Failed to list certificates: Unable to find CA inventory file at > > /var/ > > > > > > > lib/puppet/ssl/ca/inventory.txt > > > > > > > Permissions? try adding the user which runs the proxy to the puppet > > group. > > > > > > > > This file does exist and I do see all of my clients listed in the > > > > > > > file. In the meantime, I turned off SSL for my smart-proxy just > > to > > > > > > > reduce any 'extra complexity'. > > > > > > > > -- > > > > > > > You received this message because you are subscribed to the > > Google Groups > > > > > > > "Foreman users" group. > > > > > > > To post to this group, send email to > > foreman-users@googlegroups.com. > > > > > > > To unsubscribe from this group, send email to > > > > > > > foreman-users+unsubscribe@googlegroups.com. > > > > > > > For more options, visit this group at > > > > > > >http://groups.google.com/group/foreman-users?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Foreman users" group. > > To post to this group, send email to foreman-users@googlegroups.com. > > To unsubscribe from this group, send email to > > foreman-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/foreman-users?hl=en.